I'm trying to distribute a sandboxed macOS app with a PacketTunnelProvider (system extension) via direct distribution (outside of AppStore). The app and the extension both use the same app group, using the new group.com.XXXX.YYYY format detailed here for 10.15+ https://developer.apple.com/forums/thread/721701 I've also followed the instructions below to get around the quirk of not being able to directly process it via XCode: https://developer.apple.com/forums/thread/737894 I've re-signed with Developer ID certificate, all that is smooth and successfully notarized. However upon running the app I get: "My.app" would like to access data from other apps. Checking ~/Library/Containers ~/Library/Group Containers I see the correct files folders have been created before I select Don't Allow and Allow. My app does not access any files or folders outside of the sandboxed directories. How can I prevent this from happening? In order to diagnose further, how to diagnose exactly which files/folder the app is trying to access that is causing this problem?

In my Packet Tunnel Provider, I'm setting the NEDNSSettings to localhost as I have a local DNS server listening on port 53 (this is a dns forwarder which conditionally forwards to different upstreams based on rules). On iOS it works just fine, I'm able to listen on localhost:53 in the Network Extension, then set NEDNSSettings servers to "127.0.0.1". However on macOS due to the port being under 1024, I get a Permission denied OS code 13 error. I'm assuming this is due to the Network Extension not running as root. Can this be changed? This could be rectified if you could customize the port in NEDNSSettings, as the listener could be on port 5353, but it doesn't look like it is possible? Just wondering if there is some other way to accomplish what I'm trying to do in the macOS Network Extension?

I'm trying to create a network extension packaged as a system extension on macOS, let request = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: "com.example.Desktop.PacketTunnelDesktop", queue: DispatchQueue.main) request.delegate = delegate // Submit the request to the system. let extensionManager = OSSystemExtensionManager.shared extensionManager.submitRequest(request) The application is installed in /Applications, I have also turned off SIP and systemextensionsctl developer on I'm not getting any breakpoint hits on my request delegate, but I am getting some logs in the console app: making activation decision for extension with teamID teamID("XXXXXX"), identifier com.example.Desktop.PacketTunnelDesktop no related kext found for sysex `com.example.Desktop.PacketTunnelDesktop` extension XXXXXXX com.example.Desktop.PacketTunnelDesktop (1.0/1) advancing state from validating to validating_by_category validate: category: com.apple.system_extension.network_extension, extension: com.example.Desktop.PacketTunnelDesktop waiting for external validation of extension with identifier com.example.Desktop.PacketTunnelDesktop It seems to stop here, and running systemsextensionsctl list shows: [validating by category] as the status. I'm trying to find some barebones example code for a network extension packaged as system extension but couldn't find any. Any ideas where to go from here?

I have created a NEPacketTunnelProvider which seems to work currently in testing. However I have noticed that the DNS do not go through the TUN interface, even setting a bogus DNS server in NEPacketTunnelNetworkSettings still has no effect and I'm able to browse just fine. I also know that there is the DNS Proxy Provider, can it be used in conjuction with Packet Tunnel Provider? Though from what I have read this is not available for the general public and can only be used on supervised / managed devices? Are there any supported methods of running a local DNS server, say on 127.0.0.1 and redirect all DNS queries to this server?